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Introduction 


Who is this manual for? 


This manual is an internal working document aimed at all levels of staff within 
the Freedom of Information and Transparency Directorate (FOI and 
Transparency Directorate). 


What is the purpose of this manual? 


This manual sets the pilot framework for how the FOI and Transparency 
Directorate will take regulatory action in line with the Commissioner’s statutory 
powers. It outlines how we will implement in practice our published Regulatory 
Action Policy (RAP) and utilise our statutory powers. 


It is important that we use the regulatory powers under the Freedom of 
Information Act 2000 (FOIA) and the Environmental Information Regulations 
2004 (EIR) fairly, consistently and in line with the Commissioner's RAP. 


The RAP sets out how the Commissioner intends to make the best use of his 
powers and outlines the circumstances when he will take regulatory action and 
the outcomes that any action aims to achieve. This makes it clear that any 
regulatory action must be proportionate, lawful, fair and rational. 


What is the status of this manual? 


This is the ICO’s pilot FOI and Transparency regulatory manual. It contains 
practical guidance covering much of our regulatory powers under FOIA and the 
EIR. 


The manual is designed to be pragmatic. It identifies the methodology and 
process which the FOI and Transparency Directorate has developed to utilise the 
Commissioner's statutory powers. These processes are designed to be flexible 
and departure from the manual may in some cases be necessary on a 
discretionary basis and where justified on the facts of a particular case. 


The ways of working in this manual are being piloted from July 2022. We will 
regularly review the effectiveness of the approach set out and will update the 
manual as necessary following the pilot, which will be formally reviewed in April 
2023. A final version of the manual will then be published in summer 2023. 
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During the pilot we will consider both internal and external feedback on our 
approach. 


What is this manual not? 


This manual is not intended to be a full and complete breakdown of all elements 
of the FOI and Transparency directorates regulatory work. It does not form part 
of the ICO’s RAP, or other policy position - and instead should be considered as 
helpful guidance, on a practical level, for staff working in the FOI and 
Transparency Directorate. 


How should I use this manual? 


This manual should be used as a point of reference, or practical tool when 
considering and taking regulatory action. It includes key considerations for how 
you should decide which of our regulatory options may be appropriate. 


What is the scope of this manual? 
The scope of this manual covers the ICO’s approach to: 


e Issuing Decision Notices; 

e Issuing Information Notices; 

e Making Practice Recommendations; 

e Issuing Enforcement Notices; and 

e Certifying cases of Contempt to the High Court 


The issuing of Decision Notices is the most routine form of regulatory action 
undertaken by FOI casework to order disclosure of requested information. We 
have established processes for the regular practice of issuing Decision Notices, 
and Information Notices on individual cases, which are included in the FOIA/EIR 
service guide, case handling process map and DN - sign off procedure. However, 
this document deals with action relating to non-compliance with Decision Notices 
and Information Notices along with wider concerns with the performance of 
public authorities. 


Exclusions 


This manual does not include the ICO’s approach to the criminal offence at 
section 77 FOIA. The ICO’s Criminal Investigation Team are responsible for 
consideration of, and prosecution for, an offence under section 77 FOIA in 
accordance with the ICO Prosecution Policy. The ICO’s Investigations directorate 
has a separate manual. 


The provision at section 55 and Schedule 3 of FOIA to ask the court for a 
warrant, which is most likely to be used in connection with section 77 FOIA, is 
also not included in this manual. 


The Commissioner’s power to lay a report before Parliament, which may be used 
if there is evidence of a systemic problem relating to a particular issue or 
organisation or sector, is also not included in this manual. 
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Regulatory context 


What are the ICO’s regulatory responsibilities and powers under FOIA? 
Section 47 FOIA lists our general responsibilities which include: 


e promoting good practice by public authorities and to perform our obligations so 
as encourage public authorities to follow FOIA requirements and the associated 
codes of practice; 


e sharing information with the public about how FOIA works, what good practice 
looks like and what the ICO’s role is in relation to FOIA; 


e giving advice to the public and public authorities about FOIA; and 


e assessing whether a public authority (with their consent) is following good 
practice. 


The Section 45 Code of Practice gives recommendations for public authorities 
about their handling of requests. Its coverage includes: 


e timeliness; 

e the situations in which advice and assistance should be given to those 
making requests; 

e the complaints procedures that should be in place; 

e and various considerations that may affect relationships with other public 
bodies or third parties. 


The Section 46 Code of Practice covers good records management practice and 
the obligations of public authorities under Public Records legislation. 


If we believe a public authority is not acting appropriately regarding their duties 
under FOIA associated codes of practice, then we can (under section 48 FOIA) 
make formal recommendations explaining what they need to do to meet their 
obligations. Where such a recommendation relates to the section 46 Code of 
Practice about good record keeping and compliance with the relevant Public 
Records Act, we will consult with The National Archives. 


Anyone can ask us to decide whether a public authority dealt with their 
particular request for information in line with FOIA. If we decide that they did 
not, we can issue a Decision Notice (in compliance with section 50 FOIA) which 
tells the public authority what they must do to comply with FOIA. 


If we are not sure whether a public authority is complying with FOIA or we need 
further information, then we can issue an information notice (section 51 FOIA). 

This requires the public authority to provide information to us which helps us to 
decide. 
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If we decide that a public authority is not complying with FOIA, then we can 
issue an enforcement notice (section 52 FOIA). This can make the public 
authority comply with any of the requirements of Part I of FOIA). If a public 
authority does not comply with a notice we issue, then we can certify to the 
court to make it aware of this (section 54 FOIA). This could result in the public 
authority being held in contempt of court. 


Under section 77 FOIA we may decide to take a public authority (or any person 
who is employed by, an officer of or subject to the direction of the public 
authority) to court for an offence of altering records with intent to prevent 
disclosure (except for offences committed in Scotland, which we would refer to 
the Procurator Fiscal). 


What are the ICO’s regulatory responsibilities and powers under the 
EIR? 


Our responsibilities and powers under FOIA (see above) also apply to the EIR. 


These include the power to issue a practice recommendation in relation to the 
Code of Practice under regulation 16 of the EIR. 


The regulation 16 Code of Practice provides guidance on how to deal with 
requests for environmental information and states what level of procedural 
service would be good practice for public authorities to achieve. 


What is monitoring and what are we using it for? 


Monitoring is the collation of quantitative and qualitative evidence as to a public 
authority’s compliance with FOIA and the EIR and any trends or patterns of 
behaviour within sectors or other groups of public authorities. Our aim is not 
simply to create relatively static lists of the ‘most complained about’ authorities, 
but to take a holistic view of the evidence we can see about the quality of 
compliance with information rights law across the regulated community. 


We use monitoring to identify where we can increase our level of support to 
public authorities through our approach to upstream regulation and where we 
should use our statutory powers due to consistently poor performance and 
failure to comply with the law. The diagram below shows a likely hierarchy of 
some of our outcomes. 
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Low 


eg Enforcement notice 


eg Practice recommendation 


Volume 


Consensual audit 


eg Issues recorded in decision notices and 
early/informal resolution letters 


Supportive 
action Engagement with public authorities 


Guidance provided 


High 


Not all monitoring will result in regulatory action. As described in the ‘Making 
decisions’ section below, we will review the results of the evidence from 
monitoring to decide on an appropriate course of action. 


Who carries out this work? 

The regulatory responsibilities and powers under FOIA and the EIR are 
predominantly undertaken by staff within the FOI and Transparency Directorate. 
These include: 


e Director of FOI and Transparency: responsible for strategic leadership and 
direction of the team. 

e Head of Casework: responsible for oversight of the casework function and 
FOI policy. 

e Group and Team Managers: responsible for sector and early resolution 
casework teams and ensuring the quality and timeliness of casework. 

e Principal Advisers (and related teams): responsible for a range of support 
functions from policy and Tribunal reviews, to monitoring activity and 
upstream regulation. 

e Caseworkers: responsible for delivering timely, high quality casework 
within organisational KPIs. 


These staff work with others across the organisation to support the use of these 
powers. For example, the ICO’s Legal Services (FOI Appeals) take action in 
respect of contempt of court proceedings for failure to comply with a notice we 
issue. 


See Appendix 1 for more details as to specific roles and responsibilities of staff 
within the FOI and Transparency Directorate in relation to taking regulatory 
action in line with this manual. 
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Who are the high-level decision makers? 


As a Corporation Sole, the Information Commissioner’s functions are vested 
personally in the Commissioner. However, the Commissioner is able to delegate 
his functions to officers and staff. The Scheme of Delegations formally details the 
Commissioner’s main delegations. 


See Appendix 2 for more details as to delegated authorities. 


Carrying out our work 


Monitoring performance 


We take an evidence-based approach to monitoring performance using what we 
see from casework, other internal evidence, and, where available, external 
information. 


Evidence from casework 


We must capture concerns about the way that public authorities have dealt with 
information requests in a way that allows us to identify trends or patterns of 
behaviour. This will provide evidence that will allow us to consider regulatory 
action on the basis of a public authorities overall performance. These concerns 
will be apparent to case officers as they process casework. 


All case officers should record concerns identified through day-to-day casework 
as they arise. This allows for specific issues, for example timeliness and 
inappropriate use of exemptions, to be recorded in a consistent manner and 
enables the managers to track emerging issues to inform strategic 
considerations. 


If a caseworker has a strong concern about an individual case, they should 
consider what action could be taken and discuss with their manager 
immediately. 


Examples of this include, but are not limited to, the following: 
e The PA has a significant backlog of requests. 
e The PA cannot process requests for some reason. 
e The PA is obviously failing to engage on a case. 
e The PA is clearly failing to comply with provisions of the Codes of Practice. 
e The PA has approached the case officer to raise awareness of issues with 
their performance. 


Other evidence 


The ICO sees a small percentage of the information requests made to public 
authorities via casework. We need to find ways to factor in how public 
authorities deal with the cases that don’t get raised with us. We consider overall 
performance statistics from central government and will explore what other 
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information is available in relation to other public authorities and sectors (such 
as data in Annual Reports, responses to previous requests that are available 
online etc) to make decisions on whether regulatory action is appropriate. 


We develop on-line assessment tools for different aspects of compliance and will 
look at how well these are being used by public authorities where possible. We 
will also consider a public authority’s approach to their FOI and EIR obligations 
generally by looking at their proactive disclosure and publication schemes. 


We will also use the responses to ICO decision and information notices as 
evidence of a public authorities overall approach to the legislation. 


Using intelligence 


The ICO’s Intelligence Department produces a number of products that include 
the Strategic and Tactical Assessments and Prioritisation Framework. We will 
give consideration to these and our overall approach will be guided by the ICO’s 
wider regulatory priorities. 


The intelligence products may recommend specific themes or sectors of interest 
and inform regulatory decisions. In turn, information collected by the Directorate 
will be structured in a way to allow analysis by the Intelligence Department 
alongside wider ICO datasets. 


Considering our approach 


Formal regulatory action decisions will ultimately be made in line with our 
delegated authorities (see Appendix 2). 


To support our new more strategic approach, however, a new senior oversight 
group will be established to look holistically at the evidence we are seeing across 
the public sector about compliance with information rights law. This group will 
meet regularly and include the managers, Principal Advisers, the Upstream 
Regulation Officer, the Head of Casework and the Director of FOI and 
Transparency. Other attendees will be invited as necessary, including from the 
organisation more widely. Discussion will be led by the managers and Principal 
Advisers, who will propose regulatory action based on the latest intelligence from 
their sectors and the broader evidence available. This will then inform our 
thinking on what action may be needed. 


The purpose of the meetings is to ensure consistency and to develop a 
proportionate and impactful approach, in line with capacity and our resources, 
whereby use of our range of regulatory powers becomes business as usual. It 
will also help us identify where individual public authorities, or sectors more 
generally, may benefit from support from our upstream regulation team to 
support improvements in performance. 
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It will also discuss our plans for taking regulatory action and whether this is 
being progressed quickly enough and in a consistent way across sectors based 
on the evidence we are seeing. 


Although the focus is on FOI and EIR casework, we also need to routinely 
consider enforcement activity in the context of the wider performance of a public 
authority in relation to Data Protection and other legislation we regulate. This 
includes ensuring that any regulatory action taken in relation to data protection 
and any other casework does not adversely affect access to information rights as 
public authority’s resource any remedial activity they are taking in other areas. 


Alongside the operation of this manual therefore, the Principal Policy Adviser 
(PPA)/Upstream Regulation Officer will take responsibility for co-ordinating with 
Public Advice and Data Protection Complaints (PADPC), Assurance and other 
colleagues to horizon scan upcoming regulatory activity and identify overlaps. 


Taking regulatory action 
The action we may take can be characterised into three levels: 


e Level 1: 


e Record an individual/potentially systemic issue in the ‘other 
matters’ section of a Decision Notice, Information Notice or 
early/informal resolution letter. 

e Engagement with public authority. 


These actions may provide guidance or seek informal remedial action 
such as an action plan. 


e Level 2: 


e Issue a Practice Recommendation to deal with a repeated or 
potentially significant issue; and/or 
e offer a consensual audit. 


e Level 3: 


e Issue an Enforcement Notice to deal with a repeated and/or 
significant or systemic issue. 
e Certify failure to comply with a statutory notice to the High Court. 


Level 1 actions will be undertaken by FOI casework as a result of a complaint, or 
complaints, or report by an organisation that they are struggling with 
compliance. 


Level 2 and 3 actions may be undertaken by the FOI and Transparency 
Directorate or other ICO departments (for example, Assurance may conduct an 
audit and Legal may certify failure to comply with a statutory notice to the High 
Court). 
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Aggravating and mitigating factors will be taken into account as described in the 
RAP. Although all factors in the RAP are available for consideration, we envisage 
the following to be particularly relevant when we consider use of our regulatory 
powers under the FOIA and EIR: 


Aggravating factors 


e the attitude and conduct of the person or organisation concerned 
suggests an intentional, wilful or negligent approach to compliance or an 
unlawful business or operating model; 


e the breach or potential breach is particularly serious (for example, 
whether it involves any critical national infrastructure or service. Critical 
national infrastructure includes buildings, networks and other necessary 
systems that provide essential public services, for example energy, 
finance, telecoms and water services); 


e the person or organisation significantly or repeatedly failed to follow the 
good practice set out in the codes of practice we are required to promote; 


e the person or organisation did not follow relevant advice, warnings, 
consultation feedback, conditions or guidance from us; 


e the person or organisation failed to comply with an information notice, a 
decision notice or an enforcement notice; 


Mitigating factors 


e if the person or organisation notified us of the issue early and has been 
open with us; 


e any early action the organisation took to ensure future compliance with 
a relevant code of practice; 


e whether the person or organisation co-operated fully with us during any 
investigation. 


Other factors we may consider 


e the cost of measures to mitigate any risk, issue, or harm; 
e the gravity and duration of a breach or potential breach; 


e whether the person or organisation is representative of a sector or 
group, raising the possibility of similar issues arising again across that 
group or sector if they do not address them; 


e the public interest in taking regulatory action (for example, to provide 
an effective deterrent against future breaches or clarify or test an issue in 
dispute); and 


ti 
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e whether another regulator, law enforcement body or competent 
authority is already taking (or has already taken) action over the same 
matter. 


Steps when action decided 

The proposed action, and responsibility and timescales for that action, will be 
agreed, recorded and followed up at subsequent meetings. 

Where the decision is for a level 1 action, this will be recorded locally. 


Where the decision is for a level 2 or 3 action, this will be recorded on the 
‘Monitoring and enforcement’ tracker. This is a multi-tab spreadsheet to record 
progress of regulatory action from it being: 


1. considered by the senior oversight group, 
2. undertaken, and 
3. completed. 


Overview diagram 


The following diagram is an overview of the above framework for taking 
regulatory action. 


| Recording concerns fim Making decisions jum Taking action 


Case officer (CO) or i Owner of action will be 
monitoring identifies All evidence responsible for 
evidence of performance reviewed completing action taken 
concern (this may be a CO) 
i Feedback will be given 
CO records the evidence E ee at on action taken ie to 
locally timescales agreed original CO) and actions 
reviewed 
CO makes record of any Where the action is level 
further explanation and 2 or 3 - record on the Measures of success to 
where this is stored "Monitoring and be considered 
(e.g. ICE) enforcement" tracker" 


Regulatory outcomes 

The diagram below is illustrative of how we envisage to cycle through of our 
range of regulatory powers. However, not every power will be used in this order 
for the same issue. 
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Decision & 
Information It may be 
notices appropriate to 
serve a Practice 
Early/informal ‘ recommendation, 
resolution) letters ——— without a Decision 
Notice first being 
À issued, where the 
Certification of issue squarely 
failure to comply Practice relates to either of 


with statutor dati the Codes of 
notice ý SSeS EREN Practice under 


section 45 or 46 of 
FOIA. 


It may be necessary to issue an 
Enforcement Notice to group 
together cases of a similar nature Enforcement Consensual 
where neither Decision Notices notices audits 
nor Practice recommendations 
have been issued. 


Triggers for action 

The following are examples of when we may use our regulatory powers. We 
consider these to be emerging triggers for action. The lists are not exhaustive. 
Decision Notices 

Decision Notices are issued where a valid complaint has been made under 
section 50 of FOIA. 

Information Notices 


Guidance as to when we will issue Information Notices as a matter of usual 
practice is included in the service guide. There may be other situations where we 
issue an Information Notice, for example: 


> We need specified information to undertake an investigation of a matter 
that falls outside of a section 50 complaint, such as an investigation into 
the use of private communication channels for official business. 


Practice recommendations 


Practice recommendations are used to bring about systemic improvements in 
relation to the codes of practice. 


> The public authority has failed to comply with the code of practice issued 
under section 45 of the FOIA. 
Examples of when we could issue a practice recommendation under the 
section 45 code of practice include: 
> The public authority consistently responds to information requests, 
or requests for an internal review, late. 
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> The public authority has a backlog of information requests relative 
to the volume of information requests it receives, and it is projected 
that will take a significant period for them to recover that backlog. 

> The public authority failed to provide an adequate refusal notice. 

> The public authority failed to consult or refer a request to a public 
authority more able to respond. 

> The public authority failed to provide advice and assistance. 

> The public authority failed to consult with a third party such as a 

commercial entity. 

The public authority consistently misapplies the cost limit. 

The public authority consistently misapplies the vexatious provision. 

> The public authority fails to maintain an adequate publication 
scheme. 

> The public authority does not publish compliance statistics in 
accordance with section 8.5. 

> The public authority does not publish a postal address and email 
address (or appropriate online alternative) to which applicants can 
send requests for information or for assistance. 

> We want to highlight areas of good practice. 


Yv Vv 


> The public authority has failed to comply with the code of practice issued 
under section 46 of the FOIA. 
Examples of when we could issue a practice recommendation under the 
section 46 code of practice include: 
> The public authority does not have in place organisational 
arrangements that support records management. 
> The public authority does not know what records it holds or where 
its records are held. 
> The public authority does not ensure that it operates effective 
arrangements to determine which records should be selected for 
permanent preservation. 
Where such a recommendation relates to records which are public records 
for the purposes of the relevant Public Records Act, we will consult with 
The National Archives. 


> The public authority has failed to comply with the code of practice issued 
under regulation 16 of the EIR. 
Examples of when we could issue a practice recommendation under the 
regulation 16 code of practice include: 
> The public authority consistently responds to information requests, 
or requests for an internal review, late. 
> The public authority has a backlog of information requests relative 
to the volume of information requests it receives, and it is projected 
that will take a significant period for them to recover that backlog. 
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> The public authority does not have adequate training in place 
regarding requests for environmental information. 


> The public authority does not meet their obligation to progressively 


make environmental information available to the public. 

> The public authority failed to provide advice and assistance. 

> The public authority fails to ensure that any charges it make are 
reasonable and made in accordance with a charging schedule. 


> The public authority fails to follow the guidance in the regulation 16 


code of practice relating to: 
= transferring requests, 
= consultation with third parties, 
= public sector contracts, 
= accepting information in confidence, 
= consultation with devolved administrations, 
= the refusal of requests, or 
= the review and complaints procedures. 


Audits 


An audit assesses whether a public authority is complying with the legislation 
and the extent to which it is following good practice. Where weaknesses are 
identified an audit gives practical advice on how to improve. We can only 
conduct an audit in relation to FOIA or the EIR with the consent of the public 
authority. 


Examples of factors Regulatory Assurance take into account when deciding 
whether to invite a public authority to consent to an audit may include: 

> The number of complaints received about the public authority. 
Lack of engagement by the public authority. 
The public authority not adhering to deadlines. 
The public authority not adhering to appeal processes. 
The public authority not having an adequate publication scheme. 
The public authority not adhering to the s45 and s46 codes of 
practice. 
> Media reports or other external insight suggesting that the public 
authority is failing to comply with the legislation. 
Previous audits undertaken. 
> Other ICO work with the public authority. 


VV VV V 


Vv 


Regulatory Assurance use this Audit Referral Form. 


Enforcement notices 
Enforcement notices are used where there are repeated and/or significant or 
systemic issues in compliance with any of the requirements of Part 1 of FOIA. 


> The public authority consistently responds to information requests, or 
requests for an internal review, late. 
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> The public authority has a backlog of information requests relative to the 
volume of information requests it receives, and it is projected that it will 
take a significant period for them to recover that backlog. 

> The public authority has outstanding requests that are significantly over 
the time limit for compliance. 

> The public authority consistently uses inappropriate means to delay or 
refuse an information request. 

> The public authority fails or is unwilling to provide the ICO with a cogent 
and measurable action plan as to how it will improve its compliance with 
section 10 FOIA/regulation 5 EIR. 

> The public authority fails to comply with its own action plan. 

> The public authority consistently fails to provide advice and assistance to 
requestors, when it is reasonable for them to do so. 

> The public authority consistency misapplies exemptions. 

> The public authority consistently fails to comply with other obligations 
placed upon it by Part 1 of the FOIA. Such matters may include the failing 
to provide information in an appropriate form and format, a failure to 
release appropriate datasets for re-use and the charging of inappropriate 
fees. 


Certification for failure to comply with statutory notices 


We may certify in writing to the High court where a public authority has failed, 
without good reason or explanation, to comply with a statutory notice issued by 
the ICO under sections 50, 51 or 52 of the FOIA. 


Follow-up (and feedback) 


We will assign responsibility for following up regulatory action where needed to 
an appropriate named individual who will ensure that the action is taken by the 
public authority according to the agreed timescale. 


We will give feedback to the Directorate, including the case officers involved, in 
logging the issues and concerns as to the action taken. 


Managing communication 


We will take action to publish and publicise our work in these areas in line with 
the ICO’s Regulatory and Enforcement Communications Action Policy (RECAP). 
We will consider the guiding principles and factors in favour of, and preventing 
or deterring, publishing or publicising. 


We will always seek to communicate with a focus, direction and confidence that 
provides maximum impact and effect and in a way that aligns with both our RAP 
and our Publication Scheme. 
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Evaluation 


We will review regulatory action taken in line with ‘Assessing the outcomes of 
our regulatory actions’ section of the RAP to consider the scope and 
effectiveness of our chosen regulatory activities in achieving our desired 
outcomes. We will identify clear objectives when we take regulatory action so 
that we can review the impact of our actions against these objectives. 


The way we assess the use of our regulatory powers will vary depending on the 
reasons for the activities and the action taken. We envisage the evaluation 
options to include: 


e Following up with the public authority to assess ongoing compliance and 
improvements on a granular basis. Where necessary, we may use other 
regulatory tools if our initial action does not achieve the desired outcome. 

e Developing and making use of tools to quantify the impact of our work. 

e Seeking internal and external feedback to improve the quality of our outputs. 

e Use of wider intelligence. 


The review and evaluation process will include lessons learned exercises to 
identify areas to continuously improve our ways of working and to develop 
further consistency in the use of our regulatory powers. 
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Appendix 1 


Roles and responsibilities 


The following diagram shows the responsibilities we envisage for each of the roles within the FOI and Transparency 
Directorate. 
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Case Officers 


Group & Team 
Managers 


Upstream 


Regulation 
Officer/PPA 


Upstream team 


Head of/Director 


e Record concerns identified through day-to-day casework. 

e Where there are strong concerns about an individual case, consider what action could be taken 
and discuss with their manager immediately. 

e Undertake regulatory action where requested by the senior oversight group. 


e Review local evidence ahead of the regular meeting. 

e Propose regulatory action at the regular meeting. 

e Make decisions as part of the senior oversight group. 

e Undertake regulatory action where requested by the senior oversight group. 


e Identify trends from the local evidence. 

e Review non casework evidence/intelligence and identify trends. 

e Propose regulatory action at the regular meeting. 

e Make decisions as part of the senior oversight group. 

e Undertake regulatory action where requested by the senior oversight group. 


e Undertake regulatory action where requested by the senior oversight group. 

e Maintain oversight of regulatory action undertaken. 

e Own ‘Monitoring and enforcement tracker’ and progress public authority through the 3 stages. 
e Communication & Evaluation. 


e Make decisions as part of the senior oversight group. 


20220620 V1.0 Pilot 


19 


FOI and transparency regulatory manual 2022 


Appendix 2 


Delegated authority 


Power in Scheme Level Level Controls and escalations 
Delegated | usually 


to exercised 
by 


FOIA S.50, EIR Regulation 18, Level E E&F We issue and publish around 1300-1500 Decision Notices (DNs) a year 
INSPIRE Regulation 11 & RPSI (just under a quarter of our annual intake). All DNs are either peer- 
Regulation 18 - Resolving reviewed or manager reviewed before publication. We can offer an 
complaints informal resolution where appropriate. DNs under FOIA and all the 
Regulations can be appealed by either party to the First-Tier Tribunal. 
Appeals are overseen by the legal dept, with casework input as 
needed. 


FOIA s.51 - Information Notices EVs E&F Used as needed by case officers to require relevant material to be 
provided by the public authority to aid the determination of a case. 
When issued, they are cleared through the sectoral Group Manager to 
ensure they are proportionate and appropriate. They can be appealed 
to the Tribunal - although this has been relatively rare to date. 


Non-compliance is escalated through the Legal dept and we can take 
court action if no response is received. 


FOIA s.52 - Enforcement Level E Level F Used to correct systemic issues linked to compliance with the FOIA 
Notices Codes of Practice. ENs can be appealed to the Tribunal. 
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FOIA s.48(1) - Practice 
Recommendations 


S.77 FOIA and EIR 
Regulation 19(4) - 
Prosecution of the offence of 


altering records 


FOIA S.54(1) - Certification 
to the Court of a failure to 
comply with a notice 


Level F 


Level F 
(Legal) 


Level G 


F 


Level G2 
(Legal) 


And Level 
G (Fol!) 


Level 
G/G2 


These make recommendations to PA’s to improve their information 
rights practices in line with the Good Practice the Commissioner thinks 
should be followed. They are not enforceable through the courts. 
Instead, they are intended to be educative. Usually followed up with a 
three-month review to check on progress. At present, the HoD (via the 
Group Manager) would be involved in any early deliberations as to 
whether the PR is appropriate and the Director would be informed if 
progression is confirmed. 


These are criminal offences under FOIA and the EIRs. There are 
separate processes in place for dealing with any potential offences. In 
such cases you should immediately notify your Group Manager if you 
have concerns an offence may have been committed so that this can 
be escalated as necessary. There is a six month statutory time limit on 
the commencement of proceedings from the date of the alleged offence 
and swift action is therefore essential in such cases. 


If a PA does not comply with one of the formal notices issued under 
s50, 51 or 52 of FOIA referral to the High Court for a finding of 
contempt can be made. You should engage the legal team quickly if 
there has been a failure to comply and an unsuitable response to your 
queries. In the event of a notice deadline being missed, a seven-day 
letter is issued by legal that requires compliance or legal proceedings 
will begin. 
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